Website survey

We want your feedback on the Scottish Parliament website. Take our 6 question survey now

Skip to main content

Language: English / GĂ idhlig

Loading…

Test and Protect: Information for hospitality and QR codes

This privacy statement explains how we collect and use personal information to support NHS Scotland's Test and Protect strategy when you visit certain hospitality areas by the use of QR codes. We are the data controller for this process.

Some of the language used in privacy notices can be specialised.  The Information Commissioner's website provides a useful introduction to key terms and concepts.


There is a legal requirement for the Scottish Parliament to collect information about those individuals who visit certain hospitality areas for the health and safety of all. This information will be securely collected by the direct use of QR readers by customers. The QR system is provided by the Scottish Government via their “Check-In Scotland” mobile phone app and more information is provided later in this notice. The readers are located within hospitality areas. You can also provide your details manually if it is not possible for you to use the QR reader.

Further information about QR codes in the Parliament

Further information about Check-In Scotland, in addition to that provided in this notice

More information about Test & Protect is contained in the Scottish Government Guidance on the collection of visitor contact details see:

The purposes of the processing

The purpose of the processing of your personal data is to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic and comply with related legal requirements. This involves gathering and, when necessary, the sharing of information with NHS Scotland as the responsible body for Test and Protect. Your data will not be used for any other purpose.

The Scottish Parliamentary Corporate Body (SPCB) must be able to respond to a request from a public health officer for this data as soon as reasonably practicable and in any event within 24 hours. Therefore, the SPCB has put in place arrangements to seek to facilitate this in a secure and effective manner whilst respecting individuals’ rights. Data collected via the QR code is held directly by the Scottish Government. Data collected manually by catering staff is held by the SPCB.

Categories of information processed

Personal data, as defined by the UK General Data Protection Regulation (UK GDPR) about individuals’ visits to hospitality venues within the Parliament e.g. names, telephone numbers, and location/ time of visit.

Type of data collected

Along with the date and time of your arrival the following mandatory personal data are collected.

  • your name; and one of
  • contact telephone number
  • contact email address
  • contact postal address

with the preferred contact route being a phone number.

Information collected by QR code will not be held or stored by the SPCB.

Source of the information

Test and protect information is provided directly by individuals (the data subjects) via the QR code system or to staff if not using the QR code system

Read further information on the NHS Scotland Test and Protect strategy on the NHS website.

Legal basis for processing

Data protection law states that we must have a legal basis for handling your personal data.

The legal basis for the processing of personal data is that it is necessary for compliance with a legal obligation (Article 6 (1)(c) UK GDPR.)

Data sharing

The information provided when using a QR Code at one of the Parliament’s hospitality venues will be shared directly with our third party QR service provider Safe2Go for the purpose of collecting and securely holding the data. The SPCB does not have access to it.

By using Check-In Scotland, NHS Scotland will be able to access relevant information automatically without requesting that information from the SPCB. NHS Scotland will use the data to contact trace those who were in any of our hospitality venues and who may have come into contact with a positive case, and will provide guidance and support to those who may be advised to self-isolate.

Information provided manually will be collected by catering staff and held securely on SPShare. If the Scottish Parliament receives a request for data from NHS Scotland for test and protect reasons this data will be provided by the SPCB to NHS Scotland solely for this purpose.

The information you provide will not be shared by the Scottish Government or the SPCB for any other purpose.

Storage of personal data

The personal data collected via QR Code will be automatically sent to NHS National Services Scotland to be held securely in an encrypted data store. This data will not be accessed unless required in response to an outbreak of COVID-19.

Contact details collected manually will be held securely on SPShare up to the point of deletion.

Retention of data

Your personal data will be retained only for the purposes stated in this privacy notice. The relevant regulations require that it must be held for at least 21 days. This aims to allow time for the virus incubation period (14 days) and follow up contact tracing (7 days).

The data collected via QR code will be disposed of in a safe and secure manner within 22 days.

The data collected by the Scottish Parliamentary Corporate Body will be securely deleted after 23 days.

Mobile app permissions

Certain device permissions are required to run the Check In Scotland app. For Android, this is a permission to allow the Check In Scotland app to use the phone's camera to scan a QR code. For iOS (Apple), camera and push notifications are required (the push notifications are required in relation to check-ins when the phone is not connected to the internet). These settings can be managed through the phone's settings section.

Children and young people safeguarding and child protection

In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a

concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.

Your rights

Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.

The following rights may apply:

Access to your information

You have the right to request a copy of the personal information about you that we hold.   

Further information on how to make a data protection 'subject access request'.

Correcting your information

You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information

You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue. 

  • please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent
  • the right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you 

Deletion of your information

You have the right to ask us to delete personal information about you where:

  • you consider that we no longer require the information for the purposes for which it was obtained
  • we are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
  • you have validly objected to our use of your personal information – see Objecting to how we may use your information above
  • our use of your personal information is contrary to law or our other legal obligations
  • please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest. 
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you. 

Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to using your information

Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.

Please contact us in any of the ways set out below if you wish to exercise any of these rights. 

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website.  Paper copies of the privacy statement may also be obtained using the contact information below. 

This privacy statement was last updated on 5 May 2021.  

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Edinburgh
EH99 1SP

Telephone: 0131 348 6913

(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)

Email: [email protected]

Please contact us if you require information in another language or format

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.

Or by phone at: 0303 123 1113

Share this page